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Abstract. We discuss heuristic asymptotic formulae for the number of isogeny 
classes of pairing-friendly abelian varieties over prime fields, generalizing previous 
work of one of the authors [4]. 



Introduction 

Pairing-based cryptography uses non-degenerate pairings denned on a product G\ x G2 
of two abelian groups and taking values in a third abelian group G3. Typically, Gi, G2 
and G3 are cyclic groups of the same prime order r. An important source of suitable 
groups is elliptic curves over finite fields, and in recent years generalizations using higher 
dimensional abelian varieties have been proposed. 

As we shall recall briefly below, elliptic curves or abelian varieties possessing suitable 
subgroups for pairing-based cryptography satisfy very strong conditions, and are loosely 
referred to as pairing-friendly. These conditions suggest that they are very rare, and 
various upper bounds (either unconditional or depending on certain hypotheses) have 
been proposed, both for elliptic curves [17] , [21] and more recently for Jacobians of genus 
two curves [16]. In [4], one of the authors investigated a heuristic asymptotic formula 
for the number of pairing-friendly elliptic curves over prime fields, and the purpose of 
the present paper is to present and provide computational evidence for generalizations of 
this to higher dimensional abelian varieties. 

Let q be a power of a prime p and let ¥ q denote a finite field with q elements. Let A 
be an abelian variety over ¥ q of dimension g > 1. Let ir be the Frobenius endomorphism 
of A over ¥ q and let C w be the characteristic polynomial of the action ir on the £-adic 
Tate module of A. Then C w is a monic polynomial of degree 2g with integer coefficients. 
Furthermore, the complex roots of C v are q- Weil numbers, in other words algebraic 
integers {iri}i<i<ig satisfying -Kiiti = q for all i. In general, we call a monic polynomial of 
even degree and integer coefficients a q- Weil polynomial if all its roots are Weil numbers 
and if all its real roots occur with even multiplicity. Towards the end of the 1960's, Honda 
[12] and Tate [20] established a bijection, between isogeny classes of abelian varieties over 
a finite field ¥ q and the set of g-Weil polynomials. However, for our purposes, it is not 
necessary to distinguish between abelian varieties in the same isogeny class. Thus, to 
(the isogeny class of) any pairing-friendly abelian variety A over ¥ q we can associate a 
triple (r, C, g), where r is a prime such that A(¥ q ) contains a subgroup G\ of order r and 
C is the characteristic polynomial of the Frobenius endomorphism of A over ¥ q . Since 
the order of the group A{¥ q ) is equal to C(l), r divides C(l). 
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We now describe the conditions that a triple (r, C, q) as above must satisfy in order 
that the associated isogeny class of abelian varieties be pairing-friendly. We refer to 9 
(in the case of elliptic curves) and [7] (in any dimension) for background and motivation. 

By definition, the rho-value of the triple is p — p{A) — p(r, C, q) = 9 ^°^ , where A is 
any member of the corresponding isogeny class and g is the dimension of A. 

(1) Since #A(F q ) = C^(l), it follows from the fact that the roots of are g-Weil 
numbers that (y/q - l) 2g < #A(F q ) < {y/q+ if 9 . It follows that, given any p < 1, 
we must have p > po whenever q is sufficiently large (we assume that the dimension g is 
fixed). In cryptographic applications, we want p to be as close to 1 as possible, since for 
fixed r, computations in the field ¥ q will be faster. 

(2) There exists an integer k > 2 such that r divides $k(q)- Here, $fe is the fc-th 
cyclotomic polynomial. (Some authors allow k — 1, but we shall exclude this case. See 
Remark 11.71 ) Under some further mild restrictions, A(¥ q k) contains a subgroup G2 of 
order r different from G± and there is a computable non-degenerate pairing on G± x G 2 
that takes values in the r-th roots of unity in ¥ q k (see Proposition 16. II in the Appendix). 
We need the value of k to be sufficiently large for the discrete logarithm problem in ¥ q k 
to be unfeasible, but not so large the computations in this field become unwieldy. In 
practice, we think of k as bounded by about 50g. We call k the embedding degree of the 
triple (or of any abelian variety in the corresponding isogeny class). 

Thus, in applications to pairing-based cryptography we seek triples (r, C, q) with em- 
bedding degree k less than about 50<? and rho-value as close to 1 as possible. 

Furthermore, once a suitable triple (r, C, q) has been found, it is necessary to compute 
equations for some member of the corresponding isogeny class, the groups G\ and G2 
and to be able to compute the pairing. The only known method of constructing such 
abelian varieties is the CM-method, which is based on the reduction at primes above p 
of abelian varieties over number fields having complex multiplication, these being in turn 
constructed using theta functions or modular invariants. Since this is computationally 
very heavy, it seems reasonable to consider triples that can be obtained from the reduction 
of a fixed abelian variety, at least up to twist. See Remark II .61 

In what follows we shall always consider abelian varieties of a fixed dimension g. Since 
our heuristic arguments will be based mostly on the geometry of number fields, it is 
convenient to consider not triples (r, C, q) but triples (r, 7T, q) where 7r is a Weil number. 
Remark II. 31 and §[5] explain how to pass from one to the other in the cases we need. 

From now on, we restrict attention to abelian varieties over prime fields. 

We now outline briefly the contents of the paper. We fix an integer g > 1 (the 
dimension of the abelian varieties under consideration) , an integer k > 2 (the embedding 
degree) and a real number po > 1 (an upper bound on the rho-value). In § [TJ we fix a 
CM-field K of degree 2g and a primitive CM-type S on K and we explain a heuristic 
argument that estimates asymptotically as x — > 00 the number of triples (r, n,p) with 
7r a g-Weil number such that Q(n) — K , r < x, p prime with p < r « and with fixed 
embedding degree k. In fact, our estimate is only valid under a certain hypothesis (*), 
but similar growth can be expected even without this hypothesis (see Remark II. 4[) . In 
§ [U we discuss the effect of polynomial families on the asymptotic formulae discussed in 
§ [TJ The discussion is analogous to that in § 3 of 0J. As in the case of elliptic curves, 
polynomial families having generic rho-value less than or equal to the dimension g would 
produce counterexamples to the heuristics of §[21 See Remark [2~2l for a discussion of the 
only known counterexample. Numerical computations in relation to these heuristics are 
discussed in § [31 
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§ |4] proposes heuristic asymptotic formulae for triples (r, tt,|>) with n belonging to the 
set of CM-fields all having the same maximal real subfield and § [5] presents numerical 
computations in relation to the heuristics of § 2] For the convenience of the reader, we 
recall the following result, which generalizes Theorem 1 of |T| and for which we have been 
unable to find a reference. It guarantees that, under a condition which will be satisfied 
in many cases, triples do actually give rise to groups G± and Gi on which there is a 
computable non-degenerate pairing which justifies that the heuristics have a practical 
intcrpratation in pairing-based cryptography. 

Until now, no examples of triples (r, tt, q) of cryptographic size with rho- value less than 
g have been found. Our heuristics suggest that, given po < g, the set of triples (r,n,p) 
with Q(tt) equal to a fixed CM-ficld K and with rho-value at most po should be finite. 
This is essentially because the integral 

f x du 

J 2 U 2 ~~s~ (log U) 2 

appearing in (|1.2[) remains bounded as x — > oo when po < .9- In particular, when g > 2 
and K is fixed, we expect there to be no triples (r, ir,p) with Q(n) — K and rho-value 
close to one. Since our main motivation was to study the frequency of triples with rho- 
value close to one, this is what led us to study what happens when K is allowed to vary 
over CM-fields having the same maximal real subfield. When K varies in this way, we 
expect there to be infinitely many triples with rho-value arbitrarily close to one when 
g < 2 but not when g > 3. This would follow from the estimate (|1.2I) . 

1. A HEURISTIC ASYMPTOTIC ESTIMATE WITH K FIXED 

In this section we fix the embedding degree k and the CM-field K of degree 2g and 
we propose an asymptotic heuristic estimate as x — > oo for the number of triples (r, ir,p) 
using an approach similar to that already used for elliptic curves in [3]. See also § 3 of 
[10j . Let Oc denote a primitive fc-th root of unity. If F is a number field, we denote by 
e(k,F) the degree of the number field F n Q(Cfe)- This is well-defined since Q(Cfe) is a 
Galois extension of Q. 

If E is a CM- type on K, we denote by K the reflex field, by E the reflex CM- type and 
the reflex norm. We refer to [TS], Chapter 2, for details. 

Lemma 1.1. Let g and k > 1 be fixed. If po < ^py, then there are only finitely many 
triples (r, ir,q) of genus g with embedding degree k and rho-value < po. 

Proof. Let p be the rho-value of (r, n, q), and suppose that p < po- Recall that the 
k th cyclotomic polynomial <J>fc is a monic polynomial of degree <j>(k). Since r divides 

$A;(<z), we have r < &k{q)- On the other hand, 3>fc(g) ~ q^ > = r " < r s . Since 
po < ^py, these inequalities are incompatible when r is large. Hence r is bounded. But 
then q is bounded and, given q and g, there are only finitely many possibilities for the 
characteristic polynomial CV of the Frobenius endomorphism of a g-dimensional abelian 
variety over ¥ q . Indeed, CV is monic of degree 2g with integer coefficients, and the fact 
that every complex root 7r,; of CV satisfies |vr< ] = ^fq implies that the coefficients are 
bounded. 

We now begin the heuristic argument, which will lead to (|I.2I) . 

Let r be given. The probability that r is a prime and splits completely in Q(Cfc) is 
equal to the probability that r is prime and that r = 1 (mod fc) which is ^ /fc ^ log r . On the 
other hand, when r = 1 (mod k), has 4>(k) distinct roots (mod r). Thus if p is any 
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integer, the probability that <&fc(p) = (mod r) is roughly ^r-. Hence the probability r 
is prime and divides $ fe (p) is roughly (j}(k) \ ogr ^ 1 = 7^7. 

On the other hand, we want p to be a prime, tt € K to be a p-Weil number such that r 
divides N^/q(7t — 1). We ignore the case where r 2 divides Nk-/q(tt — 1), assuming that as 
r increases it occurs with negligible frequency. This means that there is a unique degree 
one prime ideal t of dividing r that also divides We assume that the Weil numbers 

7T behave randomly with respect to division by a non-zero ideal of K. This means that 
the probability that tt — 1 is divisible by r is -. In any number field, the average number 
of primes of degree one dividing a given rational prime is one, so that this is equivalent 
to the probability that r divides N^/q(7t — 1) being equal to K 

Now the events that r splits completely in Q(Cfc) and there exists a degree one prime in 
K dividing r are not independent in general. This is the case if and only if K and Q(Cfc) 
are linearly disjoint over Q. In general, the probability that r is a prime that enjoys both 
of these properties is ffi^ • 

Next, we need to estimate the expected number of p- Weil numbers tt e K with prime 

PO 

p < y as y — > 00, and apply this estimate with y — r s . Making suitable independence 
assumptions will then give us our formula. 

To do this, we fix a primitive CM-type T, on K and only consider 7r's that come from E. 
By definition, this means there exists an ideal *p of K such that ttOk = Ng, (*}3) . Since p is 
supposed prime and p — Nj,(*P)Nj,(Cp) = N^q(CP), this implies that *P is of degree one. 
Conversely, if *}3 is an degree one prime ideal of K dividing p such that (<p) is principal 
with a generator it such that tttt is rational, then since Nj ] ( < P)N| : ( < P) = N^-,q(^3), we 
have tttt = p and therefore tt is a p-Weil number. 

Let therefore Cl^ be the ideal class group of K and and denote by C/(S) the subgroup 
of Clf- consisting of the ideal classes 7 such that Ng(7) is the principal ideal class of K 
and, if A € 7, then the ideal Nj,(*4) of K has a generator a such that aa is rational. 
(This makes sense as a class group since if A is a principal ideal of K with generator /3, 
then Nj,(/3) is a generator of Nj,(-4) and Ng(/3)N£(/3) = N^,q(/3) is rational.) Let 
be the order of Cl(t). 

Now, the number of degree one prime ideals of K of norm at most y is equivalent to 
j^j, and these primes are equidistributed amongst the ideal classes. Hence the number 

of degree one prime ideals of K of norm < y that belong to C/(S) is equivalent to jj^j^- 

On the other hand, if *P € C7(E) is a degree one prime ideal, then by what has been said 
above, Ng(*P) has generator tt that is a Weil number. By Kroncckcr's lemma on roots of 
unity, another generator tt' is a Weil number if and only if there exists a root of unity rj 
in K such that tt' = tjtt. Thus, each such *J5 € C7(£) gives rise to % Weil numbers. 
We next make the following hypothesis: 

Hypothesis (*). The map N^(*P) on degree one prime ideals in CZ(E) is 

injective. 

This is easy to check when g < 3 or when if is a Galois extension of Q. 
When hypothesis (*) is true, the total number of Weil numbers obtained by this 
procedure associated to primes p < y is equivalent to w ^ hs Putting y = r~ , we 

K PO 

find that the number of triples (r, tt,p) as before with r < x and p < r 9 should be 
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equivalent to 

PQ 

e(k,K) WKhf, r~ e{k,K)gwxhj : x ^ 



2 ^ x r2 ( l °Sr) h k logr ^ p h K 2 ^r 2 -^(logr)2 

(where the sums are over all integers r between 2 and x). 
We deduce the following estimate. 

Pairing-friendly abelian variety estimate 1.2. Suppose that Hypothesis (*) is sat- 
isfied. Then the number of triples (r,ir,p) as above with r < x and p < r a and coming 
from the CM-type £ is equivalent as x — > oo to 

e(k, K)gwKhj, f x du 



Pohf, J 2 u 2 g (logu) 2 

When .9 = 1 this reduces to the formula previously obtained in [4] when K = Q(^/—D), 
since we assumed there that ir = t + y\J —D with y > (so there is an extra 2 in the de- 
nominator which doesn't appear here, while /ig = 1). In fact, the above argument counts 
separately the different conjugates of ir, all of which give rise to the same characteristic 
polynomial. 

Remark 1.3. Since characteristic polynomials correspond to isogeny classes of abelian 
varieties over finite fields, it is in many ways more natural to count triples of the form 
(r, C, p) , where C is the characteristic polynomial of the associated Weil number. Now two 
Weil numbers have the same characteristic polynomial if and only if they are conjugate 
in K. If Aut(-ftT) denotes the automorphism group of K, then the number of conjugates 
of an element of K is equal to the order of Aut(K). Thus, the number of triples (r, ir,p) 
as above is expected to be asymptotically equivalent to 

e(k,K)gwKhf, f x du 



#{k\it(K))p h k J 2 u 2 -ir(\ogu) 2 

as x — > oo. 

Remark 1.4. When Hypothesis (*) is satisfied, the above argument shows (uncondition- 
ally) that the number ir^ {x) of p-Weil numbers belonging to K and such that ttOk = 
Nj,(^P) for some degree one prime *J$ of K satisfies 

WKhf, f x du 



h K J 2 logw 

Presumably there is an estimate for (x) of the form Cs f£ for some constant 
Cs > even when (*) is not satisfied, although we know of no explicit formula for Cx; in 
general. 

Remark 1.5. Since there are only finitely many CM- types on a given CM-field K, and 
to every p-Weil number ir in K one can associate at least one CM-type E and a degree 
one prime ideal *}3 of K such that ttOk — N^(CP), it seems reasonable to expect that, 
asymptotically as x — > oo, the number ir-w c n(x) of p-Weil numbers 7r belonging to K with 
p prime is equivalent to 

L'Woil.if / 1 

J 2 lo g« 

for some constant C\veii,K > 0. When [K : Q] < 6, it is easy to calculate Cweii,if 
using Remark 11.41 (applied as necessary also to proper CM-subfields of K if there are 
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non- primitive CM- types). Again, however, we know of no simple formula for Cweii,K in 
general. Note that this question has a natural interpretation in terms of the number of 
isogeny classes of abelian varieties over prime fields with complex multplication by K. 

If this is indeed the case, then an argument similar to that leading up to (jl.2|) suggests 
that the number of triples (r, ir,p) with r < x, p < r 9 and fixed embedding degree k 
and such that n £ K should be asymptotically equivalent as x — > 00 to 

e(fc, K)gC W diK f x du 

Po J 2 u 2 ^^ (logu) 2 

Remark 1.6. Let TJg be the class field of K corresponding to C7(£). (This field is denoted 
by &q in the Main Theorem 1 on complex multiplication on page 112 of [H]). Then if 
7T e K is a p-Weil number and if txOk = Ng(^P) with *}3 of degree one, then *}3 splits 
completely in Hf.. If we know an abelian variety A over Hf, of complex multiplication 
type (K, £), then the reduction of A at any prime of Hf, above *P is a twist of a member 
of the isogeny class corresponding to 7r. In particular, we can construct a member of the 
isogeny class associated to any triple (r, n,p) that appears in (|1.2[) can be constructed in 
this way (up to twist and omitting finitely many primes of bad reduction) . 

When g = 1, K = K and Hf, is the Hilbert class field Hk of K, which is generated 
over K by the value j(a) of the modular j-function at any ideal o of the ring of integers 
of K . We can take for A any elliptic curve over Hk whose j-invariant is equal to some 
j(o). This is because End(.A) is then the maximal order of Hk and reduction modulo 
a prime ideal induces an injection of endomorphism rings. Furthermore, the equation 
p = Ttir implies that the reduction is always ordinary, so that the endomorphism ring of 
the reduced curve is also the maximal order of K . Theorem 6.1 of [23 implies that every 
isogeny class can be constructed in this way. 

On the other hand, in higher dimension, H^ is only the field of moduli of abelian 
varieties of complex multiplication type (K, E), and a further finite extension of Hf, is in 
general necessary to define an abelian variety of this type. 

Remark 1.7. Suppose that ¥ q contains the r th roots of unity. Let A/¥ q be a simple 
ordinary abelian variety of dimension g and suppose that the prime r 7^ p divides the 
order of A(¥ q ). Then q = 1 (mod r) and 1 is a root of the characteristic polynomial of 
the Frobenius endomorphism tt of A of multiplicity at least 2. Suppose that r is prime 
to the discriminant of the order Z[7r, n], which is contained in End(yl). Then r can be 
factored as a product of distinct proper End(^4)-ideals, say rEnd(j4) = rit2 ■■■th- We 
can then write A[r] as direct sum 

A[r] = A[ti] ® A[v 2 ] © • • • ® A[v h ]. 

We deduce that the action of tt on A[r] is semi-simple, so that 1-eigenspace of tt in A[r] 
is of dimension at least two. It follows that r 2 necessarily divides the order of A(¥ q ). 
Thus the assumption made in the argument leading up to (|1.2[) that we can ignore cases 
where r 2 divides the order A(¥ q ) is not justified when k = 1. 

Remark 1.8. In cryptographical applications, the abelian varieties used are in practice 
jacobians of curves. In genus two, a complete characterisation of the characteristic poly- 
nomials for which the corresponding isogeny class contains jacobians is given in [13] 

2. The influence of complete polynomial families 

As in the genus one case (see § 3 of [4]), complete polynomial families with small generic 
rho- value can be expected to produce more triples than predicted by (|1.2| . The argument 
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is a simple generalization of the proof of Theorem 3.1 of [4]. For a detailed discussion of 
the construction of such families in genus 2 or more, we refer to [7J. Examples of such 
families occur in [7J and [T3]. See also [TT]. We recall briefly the definitions given in [7J. 

As in the previous section, we fix k and the CM-field of K of degree 2g. We fix a CM- 
type Y, on K and denote by K the reflex field. We denote by a(x) the polynomial in K[x] 
obtained from a(x) by applying complex conjugation to the coefficients. Similarly, Nk/q 
denotes the norm from K to Q and, if a(x) £ K[x), then N K /q(a(x)) = Jlti a i( a ( x )) 
where, for each i, ai(a(x)) is the polynomial obtained by applying the complex embedding 
U{ of K to each coefficient of a(x). Following |7J and generalizing |S], a complete family 
(or polynomial) family associated is a pair of polynomials r (x) £ Q[x], 7r (x) £ K[x] 
such that: 

(i) ro(x) is irreducible and the field Q[x]/ro(x) contains a subfield isomorphic to K. 

(ii) tto(x)ttq(x) is a polynomial po(x) G Q[x], 

(Hi) ro(x) divides both &k(po(x)) and ^k/q(^o(x) — 1), 

(iv) there exist infinitely many integers xq such that tq(xq) is a prime (or a near-prime) 
and po(xo) is a prime. 

When xq is chosen such that ro(xo) and po(xo) are prime, then 7ro(a;o) is a po(xo)- 
Weil number and the characteristic polynomial of 7ro(xo) is C 7ro ( Xo )(x) = Nk/q(x — 
7ro(xo)). Furthermore, the condition (Hi) implies that ro(xo) divides both &k(po(xo)) 
and C 7ro ( a;o )(l), and therefore give rise to a triple (r (xo), tto(xo),Po(xo))- 

As xq tends to oo, the rho- value of the triple tends to B fcgra 1 so we can ^ n ^ s q uan tity 
the generic rho- value of the family. 

The heuristic asymptotic formulae of Bateman and Horn [2] and their generalization 
to polynomials with rational coefficients by Conrad |5j imply that, as X — > oo, the 
number of wq € Z with \wq \ < X such that ro(wo) and fo^o) are simultaneously prime 
is asymptotically equivalent to 

x du X 



7 2 (logu) 2 (logX) 2 

where the constant a > can be given explicitly. Let c > be the leading coefficient of 
r . Then, taking X = (x/c) 1 ^ dcgr ° , we deduce that the number of triples (r,ir,p) with 
r < x that the family is expected to generate is asymptotically equivalent to 

x l/ dogr 

(2.1) a' — — as x — > oo, 

(logx) 2 

where a' > is another constant. 

On the other hand, p. 21) predicts that the number of triples (r, 7r,p) with r < x should 
be finite when po < g and equivalent to 

( 2 2^ e(k,K)g 2 w K h f: a;^ 1 " 1 



Po(po-g)h$ (log a:) 



as cc — > oo when po > g. In any case, we see that the complete family is expected to 



provide more examples than predicted by (|1.2[) when dcgro > ^ — 1, but not when 
j — — < a — 1. A similar analysis holds if we assume (11.51) . 

Now, as | Wo | — >• oo, the rho- value of the triple (ro(wo), t^o( w o)tPo( w o)) tends to the 
generic rho- value of the polynomial family, which is g d ^° s r ^° . Thus, if the family is to 
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produce more examples than predicted by (|1.2j) or (|1.5|) . we must have 

<Po<3(l 



deg r deg r 

This argument is reversible provided we start with the strict inequalities g d ^° s r ^° < p < 
g(l+ dc ^ rg ) . We have therefore proved most of the following result. 

Theorem 2.1. Let notations be as above and assume the Bateman- Horn- Conrad heuris- 

tics m, w- 

(i) Suppose that the polynomial family parametrized by ro(w) and tto(vj) produces, 
asymptotically as x — > oo, more triples (r, n,p) with r < x than predicted by or 
( TO)) - Then g^^ < Po < + aii^)- Furthermore, one has degp Q < degr . 

(ii) Conversely, suppose that g d ^ p ° < po < <?(1 + dc g ro ) . XTien i/ie polynomial family 
produces more triples than predicted by il.ty) or U.5]) . 



To complete the proof, one needs to show that degpo < degr in (i). But points 
(i) and (ii) of the definition of a complete family show that degro and degpo are even 
integers, so this follows from the inequality 9 ^°^ o ° < g(l + d C g ro )• 

What happens when po =.<?(! + dc g rQ ) depends on the relative sizes of the constants 

Pa(pa-g)h & 

deg r 

Remark 2.2. The inequality degp < degr in (j) of the theorem implies that the if the 
family produces more examples than predicted by (jl.2[) . then its generic rho- value is at 
most g. When g — 1, the only known polynomial family that satisfies this condition 
and that produces curves over prime fields is the well-known Barreto-Naehrig family of 
prime-order elliptic curves, where 



a' and e ^^J Q 9 _^ hs appearing in (|2.1|) and in (|2.2j) . On the other hand, there doesn't 
seem to be any simple rule about what happens when g d cg Po = pq. 



r (w) = 36w 4 + 36w 6 + 18i(/ + 6w; + 1, tt (w) 



2 

with t (w) — 6w 2 + 1 and yo(w) = 6w 2 + 4w + 1. Here k = 12 and K = Q(a/— 3), and 
the family provides a genuine counterexample to (|1.2[) when po < 1-25. This is discussed 
in detail in 0]. 

3. Numerical evidence in the fixed CM-field case 

In this section, we report on numerical evidence for (|1.2[) when g = 2 and g = 3. 
In fact, when g < 3, in our context there is only one primitive CM- type up to Galois 
conjugacy, so we can test (|1.2I) by determining all possible Weil numbers in the field K 
without explicitly dealing with a reflex field, and then dividing out by the order of the 
automorphism group of K (see Remark 1 1 . 3|) . 

We wrote a program in Magma j3] to compute the number N(k, K, po, (a, b)) of char- 
acteristic polynomials CV coming from triples (r, 7r,p) with a < r < b and p < r~ , and 
compared it with the value 

e(k,K)gwKhj 1 f b du 



I(k,K,p ,(a,b)) - . 

#{Aat(K))poh£ J a u 2 ^(logM) 2 

predicted by (|1.2j) . Looping over r, for each such prime pair (r,p) satisfying r = 1 
(mod fc) and p a primitive fc-th root of unity mod r, we search for p-Weil numbers in the 
following way: 
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(1) Factorize pOx into prime ideals and make a list D(p) of all possible ideal de- 
compositions of the form act = pOx which are primitive, that is, those for which 
there is no decomposition of the form (a n K a )(a n K°) = pO^o for any proper 
CM sub-field K°. 

(2) For each pair (a, a) € D (p) test whether a is principal and if so find a generator 
7. Such an element satifies 77 = pr/ for some unit 77 of Ok- Determine whether 
rj = can be written in the form ee. If so then 7r = j is a p-Weil number and 
r a = {r/Tr : rj G Uk} is the complete set of p-Weil numbers corresponding to 
(a, a). 

For each Weil number n found, we check whether r divides N^/q(7t — 1) and store the 
minimal polynomial C n (and its associated data (r,p,p = ^7)) for those n satisfying 
this condition. 

Since p-Weil numbers are generators of principal ideals of the form Ng(*P) where 
*P has norm p, we need only consider those p for which there is a degree one prime 
above p in K. We obtain necessary conditions by working in the maximal abelian 
subfield M of the normal closure of K. We require that the decomposition field of a 
prime of M above p contains F = K n M, The Kronecker- Weber theorem tells us that 
F is contained in Q(C/) where / is the conductor of F and the decomposition group 
Gal(Q(C/)/F)<Gal(Q(C/)/Q) (Z//Z)* gives us congruence conditions on p (mod /) 
for such a decomposition to occur. For non-normal CM fields in genus two or three, F 
is a quadratic field and hence we need only compute ideal decompositions for half the 
congruence classes modulo /. For normal CM fields of degree 2g < 6 the Galois group 
is abelian and K = K = F so the proportion of primes we deal with is even smaller, 
namely l/2g. In a similar manner, since we require that r splits completely in K, we 
obtain further congruence restrictions on r when the maximal abelian subextension of K 
is not contained in Q(Cfe)- 

We ran this program on a selection of quartic and sextic CM fields for several values 
of k. The field invariants making up the constant term in the heuristic formula (|1.2p are 
varied in our sample. 

For normal CM fields of degree 4 and 6 we computed the type norm map explicitly to 
determine the unique decomposition (up to the Galois action). This approach of using the 
type norm map, while possible for other non-normal fields, was slower than computing 
the ideal decompositions due to requiring to perform calculations in the larger Galois 
closure. 

The tables have been placed together near the end of the paper for ease of use. Note 
that for a given CM field and rho-value, the heuristic is e(k,K) times a constant. 

Table[T] gives the values of N(k, K, p Q , (10 4 , 5 • 10 5 )) with rho- values po < 3.5 and with 
several values of k, for the class number one CM field K = Q[X]/ (X 4 + 4X 4 + 2), which 
has Galois group isomorphic to C4, the cyclic group of order four. Table [2] presents a 
similar table for the field Q(Cs) another normal cyclic CM field of class number one. 

Table[3]presents a table in the same format, this time for a non- normal quartic CM field 
whose Galois group is isomorphic to D s , the dihedral group of order 8. The cyclic quartic 
CM field examples took between 5000-10000 seconds to compute, whereas a non-normal 
quartic CM field example took 20000-30000 seconds. 

Tables HH6] gives the values of N(k, K, p , (10 4 , 5 • 10 5 )) with p < 5.1 for several values 
of k for some sextic CM fields with one of three Galois groups: Ce, G12 := C2 x S3 or 
G24 := Cf x C3. It proved computationally too challenging to compute the heuristic value 
for a generic sextic field having Galois group of order 48 so we did not produce any data for 
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such a field. The data for the normal sextic CM field examples was computed relatively 
quickly: approximately 2300 seconds for each value of k. The sextics having Galois group 
G12 took between 20000 and 60000 seconds each; the examples with Galois group G24 
took under 15000 seconds. An explanation for why the G24 examples were quicker to 
compute than the G12 examples is that the latter type have a proper CM subfield (of 
degree 2) so we must identify and discard the non-primitive ideal decompostions, unlike 
the G24 case. 

We would have liked to have extended the range of r, but the unavoidable large number 
of ideal factorizations in number fields prevented us from taking an interval for r too large 
or high up. 

In almost all the cases we computed, there is good agreement between the computed 
value of N(k, K, po, (a, b)) and the expected value I(k, K, po, (a, b)). A noticable exception 
occurs in Table [5] when k = 24, when the integral seems to seriously underestimate the 
actual number of triples found. To check whether the phenomenon persisted, we extended 
the computation to the interval (a, b) = (5 ■ 10 5 , 10 6 ) and that the computed values were 
in much closer agreement with expected ones. 



4. ASYMPTOTICS FOR A FIXED MAXIMAL REAL SUBFIELD. 

When po < g, then the integral 

f°° du 

J 2 U 9 (fogu)^ 

converges. Thus, the heuristic estimates (|1.2I) and (|1.5I) suggest that, if K is any CM-field 
of degree 2g and if po < g, there are only finitely many triples (r, w,p) with rho- value less 
than po- 

In order to try to understand where triples with rho- value less than g might be located, 
we now develop a heuristic formula for the asymptotic growth of the number of triples 
with rho- value bounded above by po and the CM-field K varies but with a fixed maximal 
real subfield Kq . Thus, we fix k, po and a totally real field Kq of degree g and seek an 
estimate for the number of triples (r, 7r,p) with r < x and for which the corresponding 
isogeny class over F p is ordinary and with CM by a field K whose maximal real subfield 
is Kq . We denote by Oq the ring of integers of Kq . Furthermore, a € Kq , we denote 
by {cti I 1 < i < g} the set of real embeddings of a. 

Let (r,n,p) be such a triple and write r = n + n. Then r G Oq and (X denoting a 
variable) 

(X - tt)(X - tt) = X 2 -rX+peO+[X] and \n\ < 2^ for all t € {1, 2, . . . , g}, 

the last inequalities being a consequence of the Weil bounds. Furthermore, the charac- 
teristic polynomial C n (X) of n factors over R[X] as 

g 

(4.1) OrpQ =Y[(X 2 -T t X+ P ). 

z=l 

Conversely, if r € Oq is such that \n\ < 2 v / p for all i, then X 2 — tX + p has two roots 
7r and 7f which are p-Weil numbers such that, if t ^ ±2.Jp, Kq(tt) is a CM field with 
maximal real subfield ■ 
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From elementary results about the geometry of algebraic number fields, we know that 
as T — > oo, the number R(Kq , T) of r <E Oq such that |r»| < T for all z satisfies 

where d{K^) is the discriminant of A^~. 

As before, the probability that r divides $fc(p) with r prime is rl l gr - On the other 
hand, if e(k,K^) denotes the degree of Kq Q(Cfc) over Q, then by the prime ideal 
theorem in number fields the expected number of degree one prime ideals of Kq dividing 
r given that r splits in Q(Cfe) is equal to e(k,KQ). From this, it seems reasonable to 
suppose that the probability that an integer r is prime and divides both $fc(p) and 

Nk+W/Q^- 1 ) is T^ffr- 

Thus we expect the number R(k, Kq , po, x) of triples (r, ir,p) with r < x and p < r~ 
to be equivalent to 

(4-2) E 2i?o(A-,2», 

r<K ° ESL 

where the sum over r is over integers and that over p is over primes, and the 2 appears 
before the Rq(Kq , 2y / p) because we distinguish between 7r and 7f. Hence 

(4.3) Rik, a +, po,x) ~ 2 -;;ff;f/ } e^e^ 1 

p<r a 



Now, in general, if a > 0, then the sum over primes J2r><u P° 1S equivalent to 



U' 



H-l 



as U — y oo. We take U = r ° and therefore replace V ppj in (14.31) by 



2 ff r 



which gives 

(4.4) R(k,K+,p ,x) 



p (g + 2)logr' 

gA3+ 1 e{k,K+) _ r ir(* +1 )- 



PoQj + 2)d{K+)V*£< (logr) 2 



Replacing the sum by an integral and rearranging slightly, we obtain: 

Fixed maximal real subfield estimate 4.1. Let g > 1 be an integer, let Kq be a 
totally real field of degree g, let k > 2 be an integer and let po > 1 be a real such that 
po > ^^y- Then the number R(k, Kq , po, x) of triples (r, w,p) with r < x is asymptotically 
equivalent as x —> oo to 

m*t,Po,*)- a49+1 < k ^ r^)- 2 du 



p (g + 2)d(K+)V 2 J 2 (log U ) 2 ■ 

Here d(K^) denotes the discriminant of Kq . 

Here the integral diverges to oo with x if and only if po\\ + ^) > 1. In particular, if 
g = 1 or if g = 2, we expect R(k, Kq, po, x) to tend to oo with x for all po > 1 but, as g 
increases, this should only be true for po larger than a bound which approaches 2. 
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Remark 4.2. Suppose that po < 2 and let (r, ir,p) be a triple. Then since 
Njr/Q(7r-1) < (VP+1) 29 ~P 9 <r"° < r 2 , 



r 2 does not divide N^ / /q(7t — 1) once r is larger than an explicit constant R(po). When 
this is the case, we deduce that M(t) contains at most element r + dividing any given r, 
and that the prime ideal r + is of degree one. Then, for any r > R(po), there is at most 
one prime p forming part of a triple (r, tt,p). 

Remark 4.3. Suppose that there are C prime ideals of norm r in Kq (where < C < g). 
Then the number of r e Oq with |r|j < 2^fp for all embeddings i of r in R is equivalent 
to 

so that the number of r in this range with r = 1 (mod r + ) and r + a degree one prime 
ideal of Kq dividing r should be equivalent to 

49pf C 



rd{K+y/i' 

PO 

In particular, if p is close to r » , this should be about 

49r i 5 I - 1 C 



(4.5) 



d{K+yi 



2 



Thus, if po > 2, we expect that as r increases, the number of Weil numbers tt with 
7r + ff € .Kg" and 7T7t = p to tend to infinity with r, and most of the triples (r, 7r,p) will 
have rho-value close to pq. On the other hand, if po < 2, we expect there to be at most 
one such n. 

For a numerical illustration, see Remark 15. II 

Remark 4.4. Let d > 1 be an integer. Then we can replace p by p d in these heuristics 
and obtain an estimate for the number of triples (r,w,q) with irit = q = p d . Indeed, in 
(|4.3|) it suffices to replace the sum over p < r a by the sum over p < r s . Then 

^ 4a 2dgr^(¥ +1 ) 2dgr po ^ + ^) 
^ P0 P2 ~ + 2) log r ~ p (rfg + 2)logr' 

so that the number N(k,KQ,po,x,d) of triples (r,TT,q) with r < a; and q = p d with p 
prime should satisfy 

R(k 7 K+, Po ,x,d) Y m/2 2^~2l 2^ p2 

d^+yfc,^) f x u p "^ + ^)- 2 du 



po(dg + 2)d(K+)^ J 2 (log U )2 

This tends to infinity if and only if po > {\ + jj^) _1 , so that we expect i?(/c, Kg , po, d) 
to tend to infinity when po > + but not when po < (| + 
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5. Numerical evidence in the fixed maximal real subfield case 

We continue to use the notation introduced in the previous section. For small a; and 
Po, we can compute R(k, K$, po, x) as follows. Since r < x, we know that | j < 2^/p < 

PO PQ 

2r 2 s < 2x 2 n . Hence, we need to: 

(1) Make a list L of all t € Oq such that \n\ < 2x^ for all i; 

(2) For each r G L, factor <I>fc(T — 1) into prime ideals in Kq and make a list M(t) of 
all degree one primes r + dividing $fc(T — 1) of norm r such that x > r > (■^j P0 ; 

(3) For each t + G M(r), search for primes p < x~ such that p = r — 1 (mod r + ) 
and \ri\ < for all i. 

The condition p = r — 1 (mod r + ) of (3) ensures that r divides $fc(p). Thus, for any 
t G £, t + G M(t) and prime p as in (3), the triples (r,ir,p) and (r,Tt,p) with 7r and tt 
the roots of X 2 — tX + p contribute towards the total R(k, Kq , po,x). 

PO 

Conversely, if (r, 7r,p) is a triple with r < x and p < r~ , and if t = n + 7f , then r G L. 
Since r divides N^/q(7t — 1), some prime ideal r + of K + above r must divide p + 1 — r. 
Then r + G M(r) and p satisfies (3), so that (r, tt,p) will be detected by the above search. 

Of course the major drawback of this approach is the need to factor $a;(t — 1). Since 
the size of $fc(T — 1) depends on the degree of it is necessary to choose k with <fi(k) 
small. On the other hand, decreasing p reduces the size of the list L of step (1). In any 
case, in practice it is only possible to make meaningful computations when <j){k) and x 
are small. 

Using this method, we computed a few tables with po at most equal to g. 

Let i? c (fc, Kq , po, (a, b)) be the number of distinct characteristic polynomials (|4.1[) 
associated to 7r's belonging to triples (r, ir,p) with a < r < b, tt + tt d Kg and p < r~ . 
Tables [THni compare the values of R c (k, Kq , po, (a, b)) with the heuristic estimate 



(Note that, if K is any CM-field whose maximal real subfield is Kq , then Aut(i^T) is 
generated by Aut(i4T^") and by complex conjugation: in particular, the order Aut(if) is 
always twice that of Aut(i^).) Table [7] shows the values of R c (k, Q(V2), p , (10 3 , 10 5 )) 
for k G {3, 4, 5, 6, 7, 8, 12} and values of po between 1 and 2. 

Table |5] presents the values of R c (k, Q(Vd), 2.0, (10 3 , 10 5 )) for k = 3, 4, 5, 6, 12 and for 
squarefree d < 50. The entries for which e(k,Q(Vd)) — 2 are marked with an asterisk; 
the predicted value for these entries is 2 J. In all other cases, e(k,Q(y/d)) = 1 and the 
predicted value is J. Table [9] shows the values of i? c (fc,Q(C 7 + C 7 _1 ),/Oo, (10 3 , 10 4 )) for 
k G {3, 4, 5, 6, 7} values of po between 1.5 and 3. 

The running times in Table [5] were dependent on the size of <j>(k), the degree of the 
k-th cyclotomic polynomial. For k ^ 5, 12 each table entry took under 10 minutes to 
compute. The value which took the most time to compute was k = 5 for the field Q(V5) 
which just under 3^ hours. The computations in Table [3] took under three hours when 
k G {3, 4, 6} but over ten times longer when k — 5 and k = 7. 

Remark 5.1. We can also use Table [9] to illustrate Remark 1431 When Kq = Q(( 7 + Cf 1 ) 
and k = 5, the table shows that there are no triples with rho-value between 2.3 and 
2.4, and 183 with rho-value between 2.4 and 2.5. However, only three values of (r, p) 
account for all these triples : (1051,307), (5741,1229) and (6091,1321) which give rise 



J = J(k,K+,p , (a,b)) 



gA^e(k,K+) 




#(Aut(K+))p (g + 2)d(K+y/2 



(log u) 2 
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respectively to 46, 66 and 74 triples with corresponding rho-values 2.469, 2.466 and 
2.474. If we substitute r = 1051, 5741 or 6091 in (JUSJ) with g = 3, C = 3 and divide 
by # Aut(Q(C7 + C7 1 )) = 3> we find that the predicted number of triples is respectively 
46.9, 68.7 and 72.1. 

6. Appendix 

Let A denote the dual abelian variety of A If n G Z, we write [ti]a for the multiplication- 
by-n isogeny on A and put A[n] — ker [ti]a- We recall that when n is prime to the char- 
acteristic of the base field, the Weil pairing of e™ order n is a canonical non-degenerate 
pairing on A[n] x A[n] with values in the n-th roots of unity. The purpose of this Appendix 
is to prove the following result. 

Proposition 6.1. Let A be an abelian variety over ¥ q , let r be a prime not dividing 
q and let A : A — > A be an isogeny of degree prime to rq. Let e^ be the pairing on 
A[r] x A[r] defined by e^(P.Q) — e r (P 1 X(Q)). Let C be the characteristic polynomial 
of the Frobenius endomorphism n of A and let C r be the polynomial with coefficients in 
Z/rZ obtained by reducing mod r the coefficients of C . Suppose that I is a simple root 
of C r . Let k > 2 be an integer and suppose that q k = 1 (mod 7') but q^l (mod r). Then 
there exist subgroups G\ C A(¥ q ) and G2 Q A(¥ q k) of order r such that restricted to 
G\ x Gi is non-trivial. 

Sketch of proof. First let <fi : A — > B be any isogeny, where B is a second abelian 
variety over ¥ q . Let G = ker(j> and let <f> : B — > A be the dual isogeny. Then the kernel 
G of is canonically isomorphic to the Cartier dual G D of G (see [18], page 143). The 
canonical duality G x G D —> G m induces a non-degenerate pairing : G x G — >• G TO . 
When <f> is multiplication by r, this is just the usual Weil pairing e r , as follows from the 
discussion in [15] . pages 183-185. On the other hand, if -0 : B — > C is a second isogeny 
and if H — ker(ipcf)), then the definition of the canonical isomorphisms together with the 
functorial properties of Cartier duality show that 

(6.1) e (P,n(i2)) = e^{u{P),R), PeG, ReH, 

where u : G — > H is any homomorphism and u : H — > G is induced by the dual morphism 
u":!! 11 ><; n . 

Let 7T be the Frobenius endomorphism of A over ¥ q and let ir r be its restriction to 
A[r]. Put G = d, where Gi is defined as A[r] nker(7r - 1) = ker(7r r - 1) = A[r](¥ q ). The 
hypothesis that 1 is a simple root of C r implies that G\ is cyclic of order r. We apply 
(|6.ip with cj) : A A/Gi the projection and ip : AjG\ — >• A an isogeny such that is 
multiplication by r on A Take u to be the inclusion Gi C A[r], so that u : A[r] — > G\ is 
the projection. We deduce that e#(P,u(R)) = e r {P,R) for all P € G x , R £ A[r]. 

Since the roots of G come in pairs {7,7} with 77 = q, q is also a simple root of C r . 
Let G2 = ker(-7r — [q] a). We deduce that G2 is also cyclic of order r. Since r divides 
q — 1, points Q of G2 satisfy Tr k (Q) — [q k ]A(Q) = Q and so they are rational over ¥ q k. 

Consider the composition of homomorphisms 

Gi 4 A(G 2 ) C A[r] 4 Gi. 

Since 9 is a simple root of G r and g ^ 1 (mod r), there exists a unique subspace V of 
A[r) such that A[r] = A(G 2 ) ® V, is stable under 7r and 7r — [q]^ is invertible on V. On 
the other hand, if ir* = A _1 -S-A is the image of tt under the Rosati involution associated 
to A, then n*n = [q]A (see [T5], page 206). Since n* corresponds via A to n on A and also 
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on (A/Gi)", it follows that elements R of Gi satisfy ir(R) = [q](R). Since u is surjective, 
it follows that V = keru and, since A : G2 — > A(G 2 ) is an isomorphism, we deduce that 

the composite map G2 — > Gi is an isomorphism. 

Finally, if P 6 C?i, Q 6 G 2 then e( A '(P,Q) = e r (P,A(Q)) = e (P,uA(Q)) so that, 
since is non-degenerate, e A is non-trivial on Gi x G 2 . 

Remark 6.2. The Proposition shows that e( A ) restricted to Gi x G2 is non-degenerate. 
Now, the Tate pairing e T restricted to Gi x G2 can be defined in terms of as follows. 
Put B = A/Gx. Then 

e T (P,Q) = e 4) (P,TT k (R)-R), 

where R G B(¥ q ) is any point such that (f>(R) = A(Q). This will be non-degenerate if the 
composite map 

G 2 ^ A(G 2 ) C A(¥ gk ) ^ A(¥ qk )/4>(B(¥ qk )), 
where a is the projection map, is an isomorphism. Under the hypotheses of the Propo- 
sition, this will be the case, for example, if r 2 does not divide #^4(F 9 fc). 
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Table 2. Values of N(k, K, p , (10 4 , 5 • 10 5 )) for K 
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11.99 


3.1 


8 


13 


11 


11 


10 


14 


10.36 


25 


25 


17 


20.73 


3.2 


16 


23 


19 


20 


17 


25 


17.98 


44 


43 


36 


35.96 


3.3 


32 


31 


26 


34 


27 


39 


31.31 


65 


71 


64 


62.62 


3.4 


58 


59 


56 


57 


54 


66 


54.73 


116 


116 


115 


109.46 


3.5 


100 


97 


93 


93 


96 


117 


96.00 


206 


195 


191 


192.00 



Table 3. Values of N{k,K lPOl (10 4 ,5 • 10 5 )) for K = Q[X]/(X A + 8X 2 + 13). Invariants: w K =2,h ± = h k = 2, 
Gal(A7Q) - D s . 



HEURISTICS ON PAIRING-FRIENDLY ABELIAN VARIETIES 



17 



On 


fc = 2 


k = 4 


k = 5 


I 


k = 3 


k = 6 


I 


k = 9 


fc = 18 


I 


4.0 


6 


3 





2.99 


2 


4 


5.99 


22 


18 


17.97 


4.1 


8 


6 


2 


4.27 


6 


8 


8.54 


34 


24 


25.62 


4.2 


10 


6 


6 


6.10 


10 


18 


12.20 


46 


44 


36.60 


4.3 


14 


10 


8 


8.73 


14 


22 


17.46 


64 


54 


52.38 


4.4 


16 


11 


13 


12.52 


20 


30 


25.04 


82 


72 


75.13 


4.5 


24 


15 


23 


17.99 


30 


38 


35.98 


124 


116 


107.94 


4.6 


32 


24 


30 


25.90 


50 


62 


51.79 


180 


160 


155.37 


4.7 


44 


34 


42 


37.34 


80 


80 


74.68 


260 


236 


224.05 


4.8 


68 


51 


62 


53.94 


114 


116 


107.88 


390 


330 


323.63 


4.9 


90 


71 


82 


78.04 


166 


162 


156.09 


568 


454 


468.27 


5.0 


136 


104 


114 


113.11 


250 


224 


226.22 


812 


658 


678.66 


5.1 


224 


169 


159 


164.19 


380 


328 


328.38 


1238 


944 


985.15 



Table 4. Values of N(k, K, p , (10 4 , 5-10 5 )) for K = Q« 9 ). Invariants: 
WK = 18, h t = h k = 1, # Gal{K/Q) = 6. 



Po 


fc = 2 


fc = 4 


fc = 5 


fc = 32 


I 


fc = 3 


fc = 6 


fc = 24 


I 


3.9 





3 








1.05 


2 


4 


3 


2.10 


4.0 





3 








1.50 


2 


4 


5 


2.99 


4.1 





3 





1 


2.13 


4 


6 


7 


4.27 


4.2 


2 


3 





2 


3.05 


6 


6 


10 


6.10 


4.3 


4 


5 





4 


4.37 


8 


6 


15 


8.73 


4.4 


6 


5 


2 


6 


6.26 


14 


8 


21 


12.52 


4.5 


12 


8 


6 


9 


9.00 


20 


14 


32 


17.99 


4.6 


16 


12 


9 


13 


12.95 


22 


24 


53 


25.90 


4.7 


22 


15 


13 


20 


18.67 


32 


34 


67 


37.34 


4.8 


40 


23 


24 


30 


26.97 


44 


50 


84 


53.94 


4.9 


50 


35 


32 


42 


39.02 


62 


80 


119 


78.04 


5.0 


64 


52 


57 


58 


56.55 


110 


118 


160 


113.11 


5.1 


88 


74 


96 


84 


82.10 


164 


170 


214 


164.19 



Table 5. Values of N(k,K,p Q , (10 4 ,5 • 10 5 )) for K = Q[X]/(X 6 + 
24V 4 + 144V 2 + 27). Invariants: w K = 6, h t = 1, h k = 2, 
#Gal(Jf/Q) = 12. 



po 


fc = 2 


fc = 3 


fc = 4 


fc = 5 


fc = 6 


I 


fc = 7 


fc = 14 


fc = 35 


I 


4.4 





2 





2 


3 


1.04 


5 


2 


4 


3.13 


4.5 





2 





2 


4 


1.50 


10 


4 


4 


4.50 


4.6 


2 


2 





3 


5 


2.16 


11 


5 


6 


6.47 


4.7 


2 


3 





4 


6 


3.11 


15 


7 


10 


9.34 


4.8 


2 


6 


3 


6 


8 


4.49 


16 


14 


11 


13.48 


4.9 


2 


8 


4 


8 


8 


6.50 


23 


23 


17 


19.51 


5.0 


8 


13 


6 


15 


10 


9.43 


37 


37 


25 


28.28 


5.1 


12 


14 


9 


18 


14 


13.68 


48 


49 


40 


41.05 



Table 6. Values of N(k,K,p Q , (10 4 ,5 • 10 5 )) for K = Q[V]/(V 6 + 
35V 4 + 364V 2 + 1183). Invariants: w K = 2, h t = 4, h k = 16, 
# Gal(Jf/Q) = 24. 
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fc = 3 


k = 4 


k = 5 


k = 6 


k = 7 


fc = 12 


J 


k = 8 


J 


1.0 


1 














1 


0.16 





0.33 


1.1 


1 








1 





1 


0.36 





0.73 


1.2 


2 








1 


2 


2 


0.83 


1 


1.65 


1.3 


4 


1 





1 


3 


3 


1.92 


1 


3.85 


1.4 


7 


2 


5 


5 


4 


6 


4.59 


7 


9.18 


1.5 


15 


11 


14 


15 


12 


17 


11.21 


22 


22.42 


1.6 


36 


22 


28 


34 


25 


37 


27.95 


62 


55.90 


1.7 


81 


68 


62 


88 


62 


80 


71.04 


157 


142.09 


1.8 


200 


194 


192 


219 


161 


210 


183.80 


384 


367.60 


1.9 


493 


518 


467 


496 


534 


543 


483.16 


940 


966.33 


2.0 


1346 


1418 


1267 


1331 


1295 


1321 


1288.45 


2572 


2576.91 



Table 7. Values of R c (k, K+ , p , (10 3 , 10 5 )) for K+ = Q(-y/2). 



d 


fc = 3fc = 4 fc = 5 fc = 6fc=12 J 


d 


/j = 3fc = 4fc = 5/c = 6/c = 12 J 


2 


1346 1418 1267 1331 1321 1288.45 


26 


365 408 368 374 358 357.35 


3 


1144 1093 1049 1103 2199* 1052.02 


29 


675 718 688 662 660 676.73 


5 


1650 1808 3306* 1670 1703 1629.78 


30 


356 338 322 346 354 332.68 


6 


789 794 774 753 751 743.89 


31 


351 351 333 345 328 327.27 


7 


755 718 634 667 708 688.71 


33 


643 687 621 664 640 634.39 


10 


659 635 573 599 616 576.21 


34 


325 324 336 287 291 312.50 


11 


574 580 534 553 567 549.40 


35 


319 341 285 311 349 308.00 


13 


1090 1043 1064 975 1084 1010.75 


37 


634 596 654 614 609 599.12 


14 


521 526 494 491 432 486.99 


38 


309 320 299 313 302 295.59 


15 


486 460 487 443 475 470.48 


39 


325 334 280 307 306 291.78 


17 


967 954 952 880 902 883.87 


41 


609 651 580 537 602 569.14 


19 


422 480 450 395 412 418.03 


42 


320 280 316 303 255 281.16 


21 


883 753 799 798 810 795.25 


43 


302 300 296 274 300 277.88 


22 


396 415 405 379 414 388.48 


46 


307 289 258 300 253 268.66 


23 


377 393 418 378 396 379.94 


47 


273 258 311 257 252 265.79 



Table 8. Values of R c (k, Q(Vd), 2.0, (10 3 , 10 5 )) for k e {3, 4, 5, 6, 12} 
and d< 50 squarefree. Asterisks indicate the cases where e(k, Q(Vd) = 2. 



PQ 


k = 3 


fc = 4 


k = 5 


k = 6 


J 


k = 7 


J 


1.5 


3 





1 





0.65 


2 


1.96 


1.6 


3 





1 


1 


1.20 


2 


3.60 


1.7 


10 


11 


1 


3 


2.22 


6 


6.66 


1.8 


10 


11 


1 


5 


4.14 


9 


12.41 


1.9 


10 


28 


1 


9 


7.75 


24 


23.26 


2.0 


18 


42 


1 


15 


14.61 


30 


43.84 


2.1 


32 


53 


12 


35 


27.70 


77 


83.10 


2.2 


144 


82 


40 


68 


52.78 


230 


158.33 


2.3 


197 


82 


97 


160 


101.05 


324 


303.15 


2.4 


244 


232 


97 


236 


194.37 


716 


583.11 


2.5 


354 


519 


280 


362 


375.53 


1028 


1126.60 


2.6 


557 


1048 


714 


865 


728.59 


1647 


2185.76 


2.7 


1211 


1654 


1314 


1132 


1419.19 


3267 


4257.58 


2.8 


2474 


3050 


2640 


1598 


2774.87 


9820 


8324.62 


2.9 


5136 


5527 


5330 


3993 


5445.06 


19124 


16335.18 


3.0 


9378 


10116 


8179 


11699 


10721.16 


35287 


32163.49 



Table 9. Values of R c (k, K+, p , (10 3 , 10 4 )) for K+ = QCCr + Cf 1 )- 
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